MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29f75d4db1b85197038c1ed08661ef0a72158ac895e6aac76526bab07d83c318. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29f75d4db1b85197038c1ed08661ef0a72158ac895e6aac76526bab07d83c318
SHA3-384 hash: 5a0046749c7677f77d4bcf65e708dac98ed8b9248a39a2fdb959dc3ae0663325b3feb8943bf82241d4d6431bb7fb7f28
SHA1 hash: 9ad88734ca8e7c7e0f09b89f244ca7f4a1f606a6
MD5 hash: ea85c89530ed6f12fd8b75451f37afd5
humanhash: alabama-fifteen-eight-juliet
File name:anthon.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:345'452 bytes
First seen:2020-11-26 06:44:50 UTC
Last seen:2020-11-27 08:23:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 6144:LPCganNp63ePfso2zpVRZ6+u2B9xTt+7kd5YA+GIjPBKTgwtDQ:5ann+eP0LpjxuMZIj4tc
Threatray 3'249 similar samples on MalwareBazaar
TLSH 0B74120A3B20EDCACA1611B0267CD576ABF09F561104560B6FD03F1FB17989A8D5FAB3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: ncsline.com
Sending IP: 193.56.28.122
From: Margret Sarwar <accounting-spo@ncsline.com>
Subject: New_PO #17-08-20TNQ1
Attachment: New_PO17-08-20TNQ1.zip (contains "anthon.exe")

Intelligence

File Origin
# of uploads :
4
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Sending a UDP request
Forced shutdown of a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/547810
Signature
Hijacks the control flow in another process
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323008 Sample: anthon.exe Startdate: 26/11/2020 Architecture: WINDOWS Score: 100 40 www.eczamix.com 2->40 42 www.mapomarket.com 2->42 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 2 other signatures 2->64 12 anthon.exe 39 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\crtowordsit.dll, PE32 12->32 dropped 34 C:\...\MicrosoftVisualStudioVCProject.dll, PE32 12->34 dropped 36 C:\Users\user\AppData\Local\...\vjscsvr.exe, PE32 12->36 dropped 38 4 other files (none is malicious) 12->38 dropped 15 rundll32.exe 12->15         started        process6 signatures7 74 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->74 76 Hijacks the control flow in another process 15->76 78 Maps a DLL or memory area into another process 15->78 18 cmd.exe 15->18         started        process8 signatures9 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->50 52 Modifies the context of a thread in another process (thread injection) 18->52 54 Maps a DLL or memory area into another process 18->54 56 3 other signatures 18->56 21 explorer.exe 18->21 injected process10 dnsIp11 44 www.linghuidz.com 156.241.53.168, 49737, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 21->44 46 www.izicomp.net 51.38.230.18, 49746, 80 OVHFR France 21->46 48 12 other IPs or domains 21->48 66 System process connects to network (likely due to code injection or exploit) 21->66 25 cscript.exe 21->25         started        signatures12 process13 signatures14 68 Modifies the context of a thread in another process (thread injection) 25->68 70 Maps a DLL or memory area into another process 25->70 72 Tries to detect virtualization through RDTSC time measurements 25->72 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29f75d4db1b85197038c1ed08661ef0a72158ac895e6aac76526bab07d83c318/
Threat name:
Win32.Trojan.BypassUac
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 00:56:17 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fh3v2tnrxbizoa4md3iimyppbjzblcwisxtkvr3fe25la7mdymma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0cb6321f6fc601ac2d3170f04cd0f490af9d4ee0ad2a2eb94c8c39c4e06f2d65
Formbook
15c7df3fd38078bfe8814c09bc69279c91ae32fc7178912998b6eca91f4d82b8
Formbook
6499e8029a2f0db6a6a601d425217cd6bf076fe96accdce24fe042b24001bc8f
Formbook
77839da1c15d6390080afe07320af399a007d5b69bf4fcdf63fc71e795929cf7
Formbook
7910fbd27cb1e4fd04a3356d45036821ed924ef1b8de3117d677be4938cb5140
Formbook
c2ed9a707bd10d4d9d9291d1fd7bc7316d8a80f846b6263c800ff89885641e37
Formbook
c926c7de61dd7fe8057e5142bbf2263004191728bc8ba132136a2fc4b7353584
Formbook
cf881c52980129f685da1dee4674018fa0fc1db346565dd917ae0160ce26b25d
Formbook
e66a524df69a19ea2fc31787e557c8738473af8e4dc7e5ca87619910b3f0a121
Formbook
ec5a75f9492dd42e6da3aedf206c5ff750b1ab67b75a88410e967c8c87bd65b7
Formbook
+ 3'239 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201126-hegkcn6k5n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.wellnesspharma.net/94sb/
Unpacked files
SH256 hash:
29f75d4db1b85197038c1ed08661ef0a72158ac895e6aac76526bab07d83c318
MD5 hash:
ea85c89530ed6f12fd8b75451f37afd5
SHA1 hash:
9ad88734ca8e7c7e0f09b89f244ca7f4a1f606a6
Link:
https://www.unpac.me/results/3dd4d88b-0d42-4f16-a41f-cca4ba924b40/
SH256 hash:
6f48abfe00075915b03732910b9c7325e10d84760fd2d46924191d25de46ae00
MD5 hash:
214b7024c4e0b928e995eef2a7805939
SHA1 hash:
0fdf0897e02c19420f7bb5b905e3406d08c43e99
Link:
https://www.unpac.me/results/3dd4d88b-0d42-4f16-a41f-cca4ba924b40/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 34793c1f5717a9a3b892ae1b694c9c0750eaafe83cce73cdc57148eb730bef9f

Formbook

Executable exe 29f75d4db1b85197038c1ed08661ef0a72158ac895e6aac76526bab07d83c318

(this sample)

  
Dropped by
MD5 4039288790bfd9f2c3991b0ee4d777e8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 34793c1f5717a9a3b892ae1b694c9c0750eaafe83cce73cdc57148eb730bef9f
Cape
Cape
https://www.capesandbox.com/analysis/105596/

Comments